Security at The Prompt Fixer™
We take security seriously. Here's how we protect your data.
Last updated: January 23, 2026
Authentication Security
Multi-Factor Authentication (MFA)
- TOTP-based authentication (Google Authenticator, Authy, etc.)
- MFA secrets encrypted with AES-256-GCM
- Per-user encryption key derivation
- Recovery codes for account access
Account Protection
- Account lockout after 5 failed login attempts
- 15-minute lockout cooldown period
- Password strength requirements with breach detection
- Common password and pattern detection
Session Management
- View all active sessions across devices
- Browser, OS, and device type tracking
- Revoke individual sessions or all sessions
- Automatic session expiration
Audit Logging
- All authentication events logged
- Account changes tracked
- Security events monitored
- 90-day log retention
Rate Limiting
We use Redis-based sliding window rate limiting (Upstash) to protect our infrastructure and ensure fair usage:
Anonymous web users are limited to 5 AI generations per day per device.
Service Resilience
Our infrastructure is designed for high availability with multiple resilience patterns:
Database Resilience
- Automatic retry with exponential backoff
- Connection drop recovery (Postgres restarts)
- Graceful degradation on service unavailability
- Physical backup transitions with zero downtime
Circuit Breaker Pattern
- SDK includes automatic circuit breaker
- Prevents cascade failures
- Configurable thresholds and recovery
- Half-open state for gradual recovery
Rate Limit Fallback
- Distributed Redis rate limiting (primary)
- In-memory fallback when Redis unavailable
- Fail-open pattern prevents blocking users
- Automatic recovery when services restore
Data Integrity
- Daily physical backups (Supabase)
- Point-in-time recovery available
- Automatic backup verification
- Cross-region backup replication
Security Headers
HTTP Strict Transport Security enforces HTTPS connections (max-age=31536000; includeSubDomains; preload)
Content Security Policy prevents XSS and injection attacks with strict source directives
Prevents clickjacking by blocking iframe embedding (DENY)
Prevents MIME type sniffing attacks (nosniff)
Controls information sent in the Referer header (strict-origin-when-cross-origin)
Restricts access to camera, microphone, geolocation, and interest-cohort
Input Validation & Sanitization
All user inputs are validated and sanitized to prevent injection attacks:
XSS Prevention
- Script tag removal
- Event handler stripping
- JavaScript protocol blocking
- Data URI sanitization
SQL Injection Prevention
- Parameterized queries
- SQL keyword detection
- Comment syntax blocking
- Statement separator filtering
Vulnerability Disclosure Program
How to Report
- Email security@thepromptfixer.com
- Include detailed description and reproduction steps
- Allow reasonable time to fix before public disclosure
What to Expect
- Acknowledgment within 24 hours
- Status update within 5 business days
- Resolution target: 30 days (critical issues)
- Public credit if desired
Please Don't
- Access other users' data
- Perform DoS/DDoS attacks
- Publicly disclose before we've patched
Incident Response
In case of a security incident:
Detection & Containment
< 1 hour
Investigation
< 24 hours
User Notification
Within 72 hours (if affected)
Remediation
Permanent fix deployed
Post-Incident Review
Improvements implemented
Third-Party Services
Our infrastructure partners and their certifications:
Supabase
SOC 2 Type IIDatabase and authentication. Also HIPAA-ready and GDPR compliant.
Stripe
PCI DSS Level 1Payment processing. We never store card numbers on our servers.
Vercel
SOC 2 Type II + ISO 27001Hosting, deployment, and AI Gateway with global edge network.
Anthropic (Claude 4.5 Haiku)
SOC 2 Type IIAI processing via Vercel AI Gateway with Zero Data Retention (ZDR). Anthropic is a verified ZDR provider - your data is not used for model training.
Upstash
SOC 2 Type IIRedis-based rate limiting and session caching. Serverless with global edge distribution.
All vendors undergo security review before integration. Your data flows through certified infrastructure at every layer.
Reporting Security Issues
If you discover a security vulnerability, please report it responsibly:
- Email: security@thepromptfixer.com
- Include detailed steps to reproduce the issue
- Allow reasonable time for us to address the issue before disclosure
- Do not access or modify other users' data
Last updated: January 8, 2026